Support » Plugin: Contact Form 7 Database Addon - CFDB7 » Sql error onsave

  • Resolved dbadoinot

    (@dbadoinot)


    Hi,

    There is a strange behavior, it happens when I configure contact form 7 with a textarea or text field containing a placeholder. When the form is submitted, simple quotes are not escaped on the database, so when I go to the details of the submitted form from the backend side, the plugin tries to pass form to “read” but the sql query failed:

    Extract from the PHP error_log:
    The generate query looks like:

    
    UPDATE wp_db7_forms SET form_value ='a:3:{s:12:"cfdb7_status";s:4:"read";s:3:"nom";s:11:"test ' test";s:12:"your-message";s:4:"test";}'
    

    You can see that the data “test ‘ test” is not escape.

    If there is no placeholder on my textarea field, all works fine.

    Do you plan to fix it ?
    Thank you !

    Test Environment:
    PHP: 7.2.12
    Wordpress: 4.9.8
    Contact form 7: 5.0.5
    Contact Form CFDB7: 1.2.4.3
    No other plugin.

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author Arshid

    (@arshidkv12)

    Please send correct error log and cf7 shortcode details.

    • This reply was modified 3 months, 1 week ago by  Arshid.

    Here are the details:

    Contact form 7 template:

    
    [text* name placeholder "your-name"]
    [textarea* your-message placeholder "your-message"]
    [submit "Send"]
    

    Error on the detail page:

    
    [Tue Dec 11 08:35:18.753909 2018] [php7:notice] [pid 219] [client 10.42.42.118:47792] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'toto";s:12:"your-message";s:7:"message";}' WHERE form_id = 21' at line 2 for query UPDATE wp_db7_forms SET form_value =\n                            'a:3:{s:12:"cfdb7_status";s:4:"read";s:4:"name";s:11:"test ' toto";s:12:"your-message";s:7:"message";}' WHERE form_id = 21 made by do_action('toplevel_page_cfdb7-list'), WP_Hook->do_action, WP_Hook->apply_filters, Cfdb7_Wp_Main_Page->list_table_page, CFdb7_Form_Details->__construct, CFdb7_Form_Details->form_details_page, referer: http://10.42.42.41:7080/wp-admin/admin.php?page=cfdb7-list.php&fid=5
    10.42.42.118 - - [11/Dec/2018:08:35:18 +0000] "GET /wp-admin/admin.php?page=cfdb7-list.php&fid=5&ufid=21 HTTP/1.1" 200 6559 "http://10.42.42.41:7080/wp-admin/admin.php?page=cfdb7-list.php&fid=5" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.80 Safari/537.36"
    

    The shortcode who generate error (wp-content/plugins/contact-form-cfdb7/inc/admin-form-details.php:83):

    
    $form_data['cfdb7_status'] = 'read';
    $form_data = serialize( $form_data );
    $form_id = $results[0]->form_id;
    
    $cfdb->query( "UPDATE $table_name SET form_value =
        '$form_data' WHERE form_id = $form_id"
    );
    

    Thanks

    Plugin Author Arshid

    (@arshidkv12)

    Change field name “name” to some other name.

    i changed the contact form 7 to :

    
    [text* mydata1 placeholder "your-name"]
    [textarea* mydata2 placeholder "your-message"]
    [submit "Send"]
    

    but the problem still present:

    
    [Tue Dec 11 11:05:47.995663 2018] [php7:notice] [pid 218] [client 10.42.42.118:57350] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'try";s:7:"mydata2";s:15:"body of message";}' WHERE form_id = 22' at line 2 for query UPDATE wp_db7_forms SET form_value =\n                            'a:3:{s:12:"cfdb7_status";s:4:"read";s:7:"mydata1";s:13:"another ' try";s:7:"mydata2";s:15:"body of message";}' WHERE form_id = 22 made by do_action('toplevel_page_cfdb7-list'), WP_Hook->do_action, WP_Hook->apply_filters, Cfdb7_Wp_Main_Page->list_table_page, CFdb7_Form_Details->__construct, CFdb7_Form_Details->form_details_page, referer: http://10.42.42.41:7080/wp-admin/admin.php?page=cfdb7-list.php&fid=5
    10.42.42.118 - - [11/Dec/2018:11:05:47 +0000] "GET /wp-admin/admin.php?page=cfdb7-list.php&fid=5&ufid=22 HTTP/1.1" 200 6573 "http://10.42.42.41:7080/wp-admin/admin.php?page=cfdb7-list.php&fid=5" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.80 Safari/537.36"
    

    i send in input:
    “another ‘ try” to data1 field
    “body of message” to data2 field

    we can see that on the group words another ‘ try the char is not escape.

    • This reply was modified 3 months, 1 week ago by  dbadoinot.
    • This reply was modified 3 months, 1 week ago by  dbadoinot.
    Plugin Author Arshid

    (@arshidkv12)

    I will check it soon.

    Plugin Author Arshid

    (@arshidkv12)

    Take CSV backup. Then delete submissions and update plugin and check it.

    dbadoinot

    (@dbadoinot)

    I would like prefer to keep the initial char ‘ or ” instand of transform to html char, but it works.

    Thanks you for your reactivity.

Viewing 7 replies - 1 through 7 (of 7 total)
  • You must be logged in to reply to this topic.